在Spring security 6中配置requestMatchers时,如何将端点包含在查询参数中?

pb3skfrl  于 2023-01-13  发布在  Spring
关注(0)|答案(1)|浏览(226)

我有以下代码...

import com.purepm.admin.services.authentication.AudienceValidator;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.jwt.*;
import org.springframework.security.web.SecurityFilterChain;

@EnableWebSecurity
@Configuration
public class SecurityConfig{

    @Value("${auth0.audience}")
    private String audience;

    @Value("${spring.security.oauth2.resourceserver.jwt.issuer-uri}")
    private String issuer;
    @Bean
    JwtDecoder jwtDecoder() {
        NimbusJwtDecoder jwtDecoder = (NimbusJwtDecoder)
                JwtDecoders.fromOidcIssuerLocation(issuer);

        OAuth2TokenValidator<Jwt> audienceValidator = new AudienceValidator(audience);
        OAuth2TokenValidator<Jwt> withIssuer = JwtValidators.createDefaultWithIssuer(issuer);
        OAuth2TokenValidator<Jwt> withAudience = new DelegatingOAuth2TokenValidator<>(withIssuer, audienceValidator);

        jwtDecoder.setJwtValidator(withAudience);

        return jwtDecoder;
    }
    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http.authorizeHttpRequests()
                .requestMatchers("/").permitAll()
                .requestMatchers("/person").hasAuthority("SCOPE_blahablah")
                .anyRequest().authenticated();

        return http.build();
    }
}

但是,当我使用以下命令运行请求curl http://localhost:8080/person -v时,我看到预期的403...

*   Trying 127.0.0.1:8080...
* Connected to localhost (127.0.0.1) port 8080 (#0)
> GET /person HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.85.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 
< Set-Cookie: JSESSIONID=EFD9C400D91760FE8FA2119AC2EB382B; Path=/; HttpOnly
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 0
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< X-Frame-Options: DENY
< Content-Length: 0
< Date: Wed, 11 Jan 2023 21:45:16 GMT
< 
* Connection #0 to host localhost left intact

这和预期的一样,因为我没有提供授权头(尽管我希望是401)。
但是当我添加curl http://localhost:8080/person?email=me@me.co这样的查询参数时,它只是让它直接通过,我得到了200。有没有办法在有查询参数的情况下使用查询字符串来强制执行403?

fdbelqdn

fdbelqdn1#

如果您有一个端点/person?email=me@me.co,您可以为这个端点配置一个请求匹配器,如下所示:

http.authorizeRequests()
    .antMatchers(HttpMethod.GET, "/person?email=me@me.co").hasAuthority("SCOPE_blahablah")

如果要匹配任何查询参数,可以使用.*匹配任何字符:

http.authorizeRequests()
    .antMatchers(HttpMethod.GET, "/person*").hasAuthority("SCOPE_blahablah")

相关问题